Bill Klaproth (Host): Welcome to the ASHRM podcast made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ashrm at ashrm.org/membership to learn more and to become an ashrm member. I'm Bill Klaproth. And on this episode we talk with Dean Sittig, Professor Emeritus at the University of Texas Health Science Center and President of Informatics Review. We're going to talk to Dean about the ashrm enterprise risk insights and how EHR audit logs can play a key role in improving healthcare delivery and reducing liability risks.

Dean, welcome.

Dean Sittig, PhD: Hey Bill, thanks. It's great to be here today.

Host: Thank you for your time. I really appreciate this. I thought we would start with this, just a level set to kick us off. Dean, can you explain the primary purpose of EHR audit logs in the context of healthcare risk management?

Dean Sittig, PhD: Uh, sure. The, the, the main reason we're talking about this today is in, uh, sort of investigating incidents or events that happened, usually adverse events that happen in the hospital, and they may be like related to a electronic health record, um, or a medical malpractice issue. The other reason that the audit log is available is for, uh, unauthorized access. And so that sometimes falls in risk management or maybe it'll fall in, uh, some other part of the hospital. But it's a good way to look at, um, if someone complains that someone's reviewed their, uh, EHR record inappropriately, you can use the audit log to see if that's occurred.

Host: That's really interesting and then what kinds of questions can an EHR'S audit log help answer during an investigation?

Dean Sittig, PhD: Well, uh, what it really tells you is who was entering the data. What data they were entering, uh, when they were doing that. And, uh, usually a coded form of where the computer was, where they were making those edits. And so you can understand, for example, that this was a nurse on nursing unit 3. Uh, at a desktop machine entering the blood pressure and this is the time that she did it.

And usually that time is just a little different than the actual time the blood pressure's being recorded. Because usually they record the blood pressure example at, uh, at noon, and then they go and record it, you know, at 1205. And so there's usually a little gap in there. And so the audit log can tell you that difference between when it was actually recorded and when the value was, uh, reflective of the patient's condition.

Host: So this kinda leaves a uh, a footprint and a timeline, if you will.

Dean Sittig, PhD: Yes. And that's a, you know, and so that, that timeline and that footprint can, uh, help you to answer a lot of other questions. Like if you are trying to say, um, like there's an incident involved and you're trying to say, well what, what, uh, clinicians were involved in the care of this patient? You could look in the audit log or, uh, how long were people like looking at the patient?

And so, for example, you can sort of see time increments between accesses of the EHR and so you can see that someone, you know, for example, in one case I was in, a radiologist, only took eight seconds to review a CT scan, which had, you know, hundreds of images and that didn't look good for the radiologist. It looked like he sort of rushed through his work and so it can tell you those kind of things as well.

Host: Yeah. So as you're trying to piece the story together, these logs can really help inform you of what actually happened.

Dean Sittig, PhD: Yeah, I, I think the key to remember is they can, uh, help you inform, like you said, what happened, when it happened and who did it. What it can't tell you is why they did it, or you know, what they were thinking when they did it. And a lot of the times, the intent is what we're really after, especially in a medical malpractice case.

Host: So you can come and then ask the necessary questions. Hey, I see this. The data is telling me this. Why did this happen? You can then find that out.

Dean Sittig, PhD: Yeah. And then, so then you'd go to the person that was actually involved and say, Hey, you know, I, I saw you were entering this. What were you thinking? Or what, why were you doing that? Or

Host: So, yeah. Dean, is there a, a situation or, or can a user modify a patient's EHR without being detected? If maybe they're like, uhoh, this is going to record that. I only looked at this eight seconds. I'm going to type in two minutes. Can it, can that happen?

Dean Sittig, PhD: Uh, well, I, you know, the, the real answer to that is like in all practical, uh, all practical means, no. I mean, if, uh, if you happen to be a, a nurse who was also an NSA, former NSA computing hacking specialist and had access to the server room and had access to the software, I mean, there's a lot of things you have to do to be able to do that.

And, you know, the, the, the number of people that have that in the world is very small, but I can't say never. And so, uh, but for all practical purposes in the hospital, like there's no one that can, if, if, if you change the record, there's going to be a trace of you changing the record.

Host: Right. So that's going to show that as well. Okay. I just wanted to ask that question. Somebody might be thinking about that. And besides the standard audit log, what other transaction logs are commonly used in healthcare facilities?

Dean Sittig, PhD: Well, so the, the, the audit log is the one that's sort of required by the meaningful use and the HIPAA requirements. And so that, uh, records like we've been talking about who did it, when they did it and things like that. There's other audit logs that are associated with, um, like ancillary systems. Like a hospital would have a PAC system and or a lab system, a blood pressure of, I mean a blood bank system. And those would each have their own audit logs. And sometimes it's interesting to look at those. Uh, sometimes there's devices that are connected to the computer, like a, uh, an IV pump or a blood pressure, automatic blood pressure monitoring device. And those would have a small little audit log in them.

Uh, the, these other, other audit logs other than the ones I'm talking about, I guess we should call those transaction logs. Those are um, they're not kept as long, they're not usually provided in a medical malpractice case because, you know, they usually, the cases are two or three years after the event when the case finally gets to, you know, people start investigating it.

But in, in the hospital, if you were really trying to find out what happened and, you know, the event just happened yesterday or last week, you, you could try to go and find these devices and try to get some more information from those devices.

Host: I could see where that could be very beneficial as well.

Dean Sittig, PhD: Yeah, the, I mean, the hard part of that is, uh, sometimes those, like, um, like an IV pump for example, is usually a, a portable pump. And so you bring it into the patient's room and usually it's associated with the patient. And so usually they put some information about the patient into the pump. Sometimes we don't, don't do stuff, like if you're looking at a fax machine, for example, and you want to know when a fax was received.

You, you can see like maybe the idea of the fax, but you don't know. It's not really associated with a patient or with a user. And so sometimes it can be a little harder to, uh, associate and, you know, when we're trying to, uh, you know, like investigate an incident and, you know, potentially fire someone or have a legal case, I mean, you've gotta have really ironclad evidence. You can't just have close enough. And so sometimes these other devices are a little harder to associate with the actual person. So they keep data but not, uh, it's hard to prove that it was me that was using the device as opposed to you using the device.

Host: Yeah, absolutely. So as I'm listening to you, Dean, and you're talking about investigating incidents, can you share common audit log related issues that you've seen? I'm sure you've come across many in your career.

Dean Sittig, PhD: Well, uh, a, a lot, a lot of the incidents occur in, uh, cases where there's abnormal test results that are um, not followed up on. And so what happens is, you know, the physician orders a test and the test comes back and it's abnormal and nobody sees it or nobody does anything with it. And so, uh, this can happen especially with like in the emergency departments.

Like you might have a, um like a blood test that goes out and then the patient seems to be getting better and they, they send the patient home and then the blood test comes back an hour later after the patient's left and there's an abnormal result. And the question is, who, who's supposed to follow up on that?

And the hospital ought to have a policy and ought to have procedure, and ought to have people that are, are responsible for doing that. You know, you'd hope that the patient has a primary care physician. You can call him and tell him or her, um, but sometimes they don't. In those cases, that can be a real problem. Like this can also happen like with radiology exams. I've had several cases like this where, uh, we have what's called an incidental oma. So they do like a, in one case they did a stomach, a CT of the stomach, and the bottom of the lung was also visible in that, and in the bottom of the lung there was a little mass.

And so the radiologist read it and said the stomach was okay, you know, there you can send them home. But I noticed there was a mass in the lung that should be investigated, but the patient's already left. And so nobody follows up on that. And then two years later the patient comes back and they've got a cough and they're coughing up blood and you know, someone does a chest x-ray and they see that they have lung cancer and then they look back and they say, well, here was a, two years ago, there was a lung mass. Why didn't you have this followed up? And the patient will say, I never knew anything about that. And you know, that's a, a lawsuit that's, you know, you've gotta settle that as quickly as possible. You have no way of winning that. Because there was the, the result we see that no one we see when it came back, we see that nobody looked at it.

And, uh, I think those are like the, the most, uh, glaring, uh, types of issues that I deal with.

Host: Well, thanks for sharing that, uh, example on that. So then, piggybacking on that, what best practices can healthcare organizations adopt to reduce their exposure to medical professional liability issues related to the use of the EHR and the audit log?

Dean Sittig, PhD: Well, uh, you know, there's a lot to, to take making sure that your EHR is functioning properly and working as expected, and, you know, things are up to date, like you've got the latest versions of the software and things like that. In terms of just the audit log itself, um, you know, like we, one of the things you want to make sure is that everyone in your hospital has a unique username and a password.

And so that, uh, uh, clearly identifies someone. You don't want people sharing passwords or you don't want clinicians that don't have a password, like trying to use the system and saying, oh, Bill, can I borrow your login to look for something, that would not be good. Um, and then usually in a larger organization, like we're talking about, usually a hospital or even a, you know, an outpatient clinic that has more than, I don't know, I'd say five or 10 uh, people in it, you should have what I call role-based access. And so this means that nurses can see and do a different set of, uh, activities in the computer system than a physician can. So like, you don't want a nurse being able to, uh, write an order for a narcotic, a schedule two narcotic. Um, and then you don't want a, like a, a, a clerk to be able to enter an order for anything.

But you want the clerks to be able to see where the patient is and see if the room's clean and see if, you know, they should be moving stuff around. And so this role-based access, uh, works on the principle of the only the information you need to do your job. That can help a lot. Um, you can also do what we call an automatic timeout for computers that are in like shared areas.

And so if I walk away from my computer, it should sort of shut down in, you know, three or five minutes or something like that. And that stops someone else from coming in, what we call poaching on your system. And so someone like, I'm using the system and I walk away, you could come on and start doing stuff and it looks like everything that you did is on my login.

So if you look up a patient inappropriately or you enter an order for someone, it looks like I did it. And that can be, uh, impossible to track later, you know, after a year. And so you want to have that automatic timeout things. And then, you know, there's things about like making sure your audit log is functioning.

That's been a problem in some hospitals, making sure your audit log is stored like on a separate server. You don't want it, uh, in the same place. You want your audit log to be backed up just like your computer, your EHR system is backed up, you know, on, on a daily basis, if not more regularly. And then, um, you know, the, the hot, the someone in risk management should know how do what, what's in the audit log. So you should like, have someone, like watch a physician, enter an order, review a result, uh, send a message to another clinician, and then look in the audit log and see what you, see, what you can see from that. And I think if people really understood exactly what was being tracked and who was doing it, uh, it would help them to understand, you know, what they could get from the HR and then what they, what's being tracked and what they should do.

Like people, like everyone in the hospital should know that everything they do on the computer system, actually everyone should know anything you do on any computer system is really being tracked at all times. And, uh, you know, if you're doing things you shouldn't be doing, if anyone, if anyone cares now I'll emphasize that like no one's gen generally watching you, but if they do care, they can find out what you were doing.

And so, uh we've lost all semblances of privacy or confidentiality in our world, and people are really tracking us, and we should know that. And the audit log is just the HRs version of doing that. Other systems have other ways of doing that, and I, I think if they did stuff like that, it would really, um, improve their handling of, uh, incidents in the hospital.

Host: Well, that's a great checklist, Dean. Thank you for sharing that with us. You mentioned have a unique username and password. You talked about role-based access, the automatic timeout, which makes sense. Uh, you said make sure the audit log is functioning properly, is stored in a safe place, backed up, and you should check it through to make sure that the data is correctly tracking.

So great uh, steps and tips Dean. Thank you so much for sharing those with us. Also, for any new risk managers we might have listening right now, what advice would you give to a new healthcare risk manager regarding the importance of audit logs?

Dean Sittig, PhD: Well, uh, you know, the, the, the end result of the risk manager's job is like these medical malpractice lawsuits. And so when someone like a, a plaintiff attorney asks for copies of the record, you should make sure that there's someone in your organization that knows how to produce, like you're going to produce a record in a, a printed form, and so you need to have a, a policy in place that says, what part of the record are you going to print? Because we usually don't print all of the record. We usually print what we call the legal medical record. And that's the part that's, um, used by the clinicians to make decisions and care for the patients. And so we don't, we don't produce, uh, detailed, uh, timelines of when laboratory results, uh, specimens got to the lab, how long it took the lab to modify, fix them, when the result was done and things like that. We, we usually show when the order was done and when the result was available. And so the, the, the, the health risk manager needs to understand sort of what they're going to produce and how to produce that audit log.

Uh, and one of the things that I see that gets defense side in so much trouble in these cases is sometimes they produce multiple copies of the electronic record or multiple copies of the audit log over time. And generally those are a slightly different, and those, uh, slight differences while they're not, um, generally a reason to, to make you look like it makes you look bad. It makes you look like you don't know what you're doing. The plaintiff attorneys get very upset about that. So you want to sort of understand how this works and you could work with your, uh, IT professionals in your hospital, like someone that's responsible for running the computer system to sort of learn how this works and what it can and can't do. And that'll give you a good feel for a, a really important tool that you have at your disposal.

Host: Yeah, that's good advice as well, Dean. Thank you for sharing that. Well, this has really been fascinating. Really interesting and thoughtful, so thank you for your time Dean. Before we go, I'd just like to find out, is there anything else you'd like to say? Any, anything you want to add?

Dean Sittig, PhD: I, you know, one of the things I say almost in every case I'm involved in is when you're trying to, um, investigate a case, you know, uh, people always see those, uh plane crashes and they, they talk about that black box recorder that records like what, what, what the cockpit was saying and what, how all the instruments were organized.

And they, uh, they always want, that's what you want in an investigation. And the EHR and the audit log don't provide that. They're not a movie. They really provide sort of snapshots. And so I always talk about, like if you go on vacation and I show you my snapshots, I show you the good times. We had fun eating dinner. We went to the beach, or we went out and climbed to the top of the mountain. I don't show you where I fell and broke my ankle, or where I got mosquito bites and things like that. Usually we edit out a lot of pieces and so when you get this audit log, you're looking at snapshots and someone still has to sort of fill in what happened in between those two things. Between those two snapshots. That's when you're going to talk to people, you're going to use your knowledge of how the hospital works to try to fill that in. And so I just want you to understand sort of, there's, you know, the, the audit log provides a tremendous, uh, wealth of information, uh, a lot of information that we can't get anywhere else, but it doesn't provide everything you're gonna need.And so you want to still, uh, understand those, the limitations of this logs.

Host: So it's not the full complete picture?

Dean Sittig, PhD: It's not a, not a movie of what happened. That's, it's not, it's just a, it's a edited, it's a, and it's good because it's an independent view. Like, uh, usually what people write in the EHR, I control, but what's written to the audit log is independent of me and it's made, it's like automatically entered by the computer system.

So that makes it good and makes it objective, uh, hard to change, things like that. But it also is incomplete.

Host: Absolutely. Kind of a roadmap that kind of can lead you down the road of the answers you're trying to find.

Dean Sittig, PhD: Yes. It provides a it's certainly a huge, another piece of information in an investigation that can be very useful.

Host: Absolutely. Well, Dean, this has been, uh, fantastic. Thank you so much for your time.

I really appreciate

Dean Sittig, PhD: Thank, thank you. It was great being here today.

Host: Yeah, really enjoyed talking with you. Thank you again, Dean. And remember, every healthcare organization should review their EHR'S audit log related policies, procedures, and practices periodically and following any significant change in EHR functionality.

Once again, that is Dean Sittig and for more resources and to enhance your expertise in healthcare risk management, please visit ashrm.org/membership. And if you're not already a member, please consider becoming an ASHRM member. The ASHRM Podcast is made possible by the American Society for Healthcare Risk Management to support efforts to advance, safe and trusted healthcare through enterprise risk management. Thanks for listening.